It is a sad fact that many organizations only considered the risks associated with failure when there was, in fact, already a failure or product nonconformity of some kind and they were engaged In corrective and preventive action. To counter this, the new Standard no longer has a requirement for a distinct preventive action process associated with corrective action but rather calls for RBT to be applied at various stages in the planning, design, development and release of products and services. Your third party auditor will be asking to see evidence that this is being done and you, yourselves, will want to be looking for this in your own internal audits.
There is nothing stopping you from continuing to follow a preventive action process after corrective action - and a lot to recommend that you do continue, but that will not be sufficient to satisfy the requirement for risk-based thinking.
By risks we are talking not only about potential hazards to health and safety but also the risk of damage to property and/or financial loss whether for the customer, a third party, or the organization itself. The presumption is that one important purpose of a quality management system is precisely to prevent bad things happening. Thus Risk based thinking will weigh risks against the benefits of proceeding or not proceeding with a course of action, and decide on implementing mitigations or not.
|RBT: Middle road - out of the weeds to left and right?|